Cisco ASA VPN User Addition and Removal Guide

1 B27839, published June 23, 2015 Cisco ASA VPN user Addition and Removal Guideii 2015 CDK Global, LLC. All rights reserved. The CDK logo is a trademark of CDK Global, Keywords: Cisco ASA VPN user Addition and Removal , user Addition and Removal , CiscoASA, VPN, AnyConnect, of ContentsConfiguring user using user Group user Service user using ASDM 8 Learn user using CLIBy default, users inherit all user attributes from the assigned group policy. The ASA also lets you assign individual attributes at the user level, overriding values in the group policy that applyto that user . For example, you can specify a group policy giving all users access during business hours, but give a specific user 24-hour use the CLI, the user needs an application that can perform remote connection by telnet ( PuTTY, SecureCRT) or a console connection to the Cisco ASA. The user then needs to login and enter configuration UsersUsers are the individuals that establish IPSEC connections.

2 The Usernameand Passwordare the credentials that are passed to the ASA when prompted by the Software VPN Client for username/password. The Group Lock and the Service Type need to be configured when adding pre-configured user , asdmmgr is group locked to the AsdmGrp tunnel group and has the service type of Admin. The asdmmgr user Account also has privilege level 15 access, for managing the ASA through the ASDM Interface. is the default service accounts adpnoc and asdmmgr are the only accounts that will have privilege level 15 access. When a privilege level is not specified, it defaults to level 2, which is user Group LockThe Group Lock attribute will lock a specific user to a specified tunnel group. This feature prevents users from obtaining another users tunnel group name and password and attempting to create a connection with escalated privileges. Since the Username is Group Locked to their own Tunnel group, a connection cannot be established without the proper username, tunnel group name and ASAVPN user Additionand Removal Guide6 Configuring user Service TypeThe ServiceType attribute determines the typeof access a user has, not the devices they have access to.

3 By default, the service type is admin which allows full access (ASDM, ssh, telnet, and console to the ASA). The only user who should have the service type of 'admin' is the 'asdmmgr' user account. For all other user accounts set the service type to 'remote-access' (ASDM monitoring, no ssh, telnet, or console access to the ASA).Removing UsersWhen removing a user , the attributes must be removed first, prior to removing the : Refer to the Notes on Tunnel Group, Group Policies and Users user using ASDM7 Configuring user using ASDMP rerequisitesTo use the CLI, user needs to install the Cisco ASDM. To install, follow the steps the Cisco ASA IPthrough a web browser using the syntax https://<ip address of Cisco ASA>/adminthen click Install ASDM Launcher. Download of the installer will : You also have an option to choose Install Java Web Start and launch the ASDM as a Java app (requires updated Java runtime).

4 Installation once download completes and follow the step by step instruction ASAVPN user Additionand Removal the ASDM is installed, run the application and login to perform user ASDM procedureTo createand add a user to your custom group policy, complete Configuration, and then click Remote Access AAA/Local Users, and choose Local username and password information. Mark No ASDM, SSH, Telnet or Console user using the VPN Policytab. Ensure that the dealer group policy is displayed in the Group Policyfield. This user inherits all the characteristics of the dealer group OK, and then click Filethen Save Running Config to Flash or press CTRL + ASAVPN user Additionand Removal Guide10 Learn MoreRelease EssentialsFor information about new product releases, go to your application Help menu and select Release HelpGet instant information about your application screen. Click the Help button or F1 for context help in CDK Drive and other ConnectGet expert support and guidance without picking up the phone or leaving your desktop.

5 You can search the document library, collaborate with industry peers in the Service Connect Community, web chat with Support, and the Service Connect tab on your desktop to get started, or download the mobile app for Apple or Learning ConnectAccess hundreds of training courses, easy-to-use tools, and interactive resources. Log in for current schedules, registration, instructor-led learning, and and Fran ResourcesForms and SuppliesCall the number below and request supplies using the EasySource catalog number, or send an email to the following information: CMF number, dealership name, contact name, :800 -237-2372